LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCA: CSP for cross-site scripting protection

LCA: CSP for cross-site scripting protection

Posted Feb 7, 2013 10:50 UTC (Thu) by Cato (subscriber, #7643)
Parent article: LCA: CSP for cross-site scripting protection

Great to see coverage of this XSS protection - according to http://caniuse.com/contentsecuritypolicy it's supported by a wide range of browsers beyond Firefox and Chrome, including various Webkit browsers and even IE10, but not yet Opera.

While it can't help with IE9 or earlier, it does at least limit the attack surface for XSS to users on those browsers.

This blog posting has a good overview and outline of how to deploy CSP: https://blog.whitehatsec.com/content-security-policy/

(Log in to post comments)

LCA: CSP for cross-site scripting protection

Posted Feb 7, 2013 20:55 UTC (Thu) by roc (subscriber, #30627) [Link]

From caniuse: "IE 10's support is limited to the 'sandbox' directive." So it doesn't have any of the features that Francois talked about. It's basically got CSP syntax for the <iframe sandbox> feature, and none of the actual CSP features.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds